FitMetrix, which makes performance-tracking software that gym owners can brand and offer to their customers, has exposed millions of customers’​ records, because they were maintaining completely open cloud servers. To boot, the records were accessed by cybercriminals prior to the public access being shut down.

The Hacken security team stumbled across an open database while browsing the Shodan Internet of Things (IoT) search engine for accessible Elasticsearch buckets. Elasticsearch is a database that stores, retrieves, and manages document-oriented and semi-structured data. It, like other popular non-SQL databases, is a popular target for malicious actors, according to Hacken.

According to Bob Diachenko, director of cyber-risk research at Hacken, the database contains 119GB of data with two different indexes: The total count of records in ‘platformaudit’ was 122,869,970; and the total count of records in ‘fitmetrixaudit’ was 113,521,722. When Diachenko found the database on Oct. 5, no password or login was required to view the data.

The information includes daily FitMetrix platform audit data, recorded from July 15th to Sept 19th, including customer profile information. Hacken found that this includes personal information like name, gender, email, birth date, emergency contact information and the contact’s relationship to the customer, nickname, shoe size, height and weight, Facebook ID, mobile phone, home phone and activity level. In other words, everything needed to mount convincing follow-on social-engineering attacks.

“We assume that not all of those records represent customer records. Part of the records relate to ‘facility’ descriptions, but nevertheless the numbers are big,” Diachenko said in a posting this week.

However, that wasn’t the worst part.

“Moreover, it has been labeled by Shodan as ‘compromised,’ meaning that database contains a ‘readme’ file with a ransom demand note,” he said. “It appears that the attackers are using a script that automates the process of accessing a database, possibly exporting it, deleting the database and then creating the ransom note. This script sometimes fails, and the data is still available to the user even though a ransom note is created.”

After several emails to FitMetrix and Mindbody resulted in no response, Diachenko decided to go public.

“Finally, after several notification attempts, Mindbody responded and database was secured on October 10th,” he said.

Jason Loomis, CISO at FitMetrix parent Mindbody, gave a statement to TechCrunch: “We recently became aware that certain data associated with FitMetrix technology stored online may have been publicly exposed. We took immediate steps to close this vulnerability. Current indications are that this data included a subset of the consumers managed by FitMetrix, which was acquired by Mindbody in February 2018, and did not include any login credentials, passwords, credit-card information or personal health information.”

Leaving cloud databases open to public view – most often Amazon Web Services S3 storage buckets – is an all-too-common problem, and has resulted in reams of data breaches in recent years.

Recently, for instance, the domain provider GoDaddy made headlines when a cloud storage misconfiguration exposed high-level configuration information for tens of thousands of systems within its hosting infrastructure (and competitively sensitive pricing options for running those systems).

Clearly, organizations are not learning from the past mistakes of others.

“Leaving yet another bucket open to the public is not surprising,” said George Avetisov, CEO of HYPR, via email. “A percentage of companies contain AWS misconfigurations, or implement control restrictions incorrectly – not everyone has a full understanding of new technologies. This is a prime example of how centralization of data on an unprotected database inevitably results in unauthorized access and accidental breaches of customer information.”